Find DKIM and DMARC Records?

Solution 1:

To query the TXT record for DMARC, you can use:

dig TXT _dmarc.example.org

To query for a particular record for DKIM, you would need to know the selector prefix. You would then query it as TXT (for example with a google one):

dig TXT google._domainkey.example.org

Solution 2:

For DKIM records, if you have received a DKIM-signed email from that domain, look at the DKIM-Signature header line(s).

From the spec:

All DKIM keys are stored in a subdomain named _domainkey. Given a DKIM-Signature field with a "d=" tag of example.com and an "s=" tag of foo.bar, the DNS query will be for foo.bar._domainkey.example.com.

So in this example, you can then run:

dig TXT foo.bar._domainkey.example.com

Credit to andol, whose comment led me to this solution.


Solution 3:

You should use +short with dig to get the DMARC record only.

dig +short TXT _dmarc.domain.com

Solution 4:

Using Windows built-in tool nslookup

  1. Open Command Prompt (cmd.exe)
  2. Enter nslookup
  3. Enter set type=txt
  4. Enter _dmarc.somedomain.org, replace somedomain.org

Example:

C:\Users\user>nslookup

Default Server:  localdns
Address:  192.168.1.1

> set type=txt

> _dmarc.somedomain.org

Non-authoritative answer:
_dmarc.somedomain.org text =

    "v=DMARC1; p=none; rua=mailto:[email protected]"

You may use server 8.8.8.8 (Google DNS) before lookup DMARC TXT record.